A host-based firewall is a piece of software installed and running on a single host that can restrict incoming (ingress) and outgoing (egress) network activity for that host only. The firewall software can prevent a host from getting infected by blocking access to the network port of potentially vulnerable services. This doesn't, however, prevent the compromise of a vulnerable service that isn't blocked by the firewall. Host-based firewalls have undergone many changes. They have gone from simple port-blocking utilities to application-aware firewalls that, much like network-based proxy-firewalls, can allow or deny network activity from a specific application installed on the host.
In addition to restricting network activity based on rules, some host-based firewalls incorporate antivirus software and intrusion prevention capabilities. They can also provide browser protection, such as suppressing pop-ups, restricting mobile code, blocking cookies, and identifying potential privacy issues within web pages and e-mails.
The best-known host-based firewall is probably the Windows built-in firewall. Windows firewall was introduced with Windows XP, which originally shipped in October 2001 and started off as a limited firewall called Internet Connection Firewall (ICF). The ICF was disabled by default due to concerns about backward compatibility, and the configuration screens were hidden from easy access. As a result, the ICF was rarely used. From mid-2003 through 2004, many highly successful malware campaigns resulted in unpatched Windows machines being infected within a matter of minutes, once connected to the Internet. Because of this, along with criticisms that Microsoft was not being proactive in protecting its customers from threats, Microsoft decided to significantly improve both the functionality and the interface of Windows XP's built-in firewall. The ICF was rebranded as Windows Firewall and was switched on by default starting with Windows XP SP2.
Throughout the generations of the Windows operating system, the Windows XP firewall has seen some tremendous improvements in functionality and usability. The firewall went from a simple, stateless, ingress-only, rule-based, port-blocking application to a fully-integrated firewall solution covering ingress and egress connection requests. The firewall can be controlled and configured with Active Directory Group Policy Management.
You should make sure the firewall is enabled on all your ICS clients and that only the absolutely necessary exceptions are applied. Checking the status of the Windows firewall can be easily done from the client computer by doing a start menu search on firewall status:
This results in a screen similar to the one shown in the following figure, if the firewall is not enabled:
The firewall can be enabled by clicking on the Use recommended settings button:
Having to do this for all your clients might become a daunting task depending on the size of the ICS network. If you are lucky enough or brave enough, depending on who you ask, and have a domain established on the ICS network that covers the industrial zone clients, you can use a group policy setting to force the firewall from starting on system boot. The following instructions detail how this is done:
- In your Active Directory Domain Controller, open the Group Policy Management tool:
- Find the group policy that applies to the clients on which we want to enforce the firewall start at boot. Note that I created a dedicated policy object for clients that are not restricted in any way. This means that they can be updated and rebooted and controlled in other ways without hindering production:
- Right-click on the policy and select Edit....
- Now, navigate to Computer Configuration | Policies | Windows Settings | Security Settings | System Services:
- From here, right-click on the Windows Firewall service and select Properties. Now, in the Windows Firewall Properties, select the following options:
- Select Define this policy setting.
- Select Automatic for Select service startup mode.
- Now click on OK to make the changes.
This will make the Windows Firewall service start automatically at startup every time the system boots, even if the service is disabled by the user. Access to the startup settings of the service can be further restricted by setting the security properties under Edit Security. Click on OK to finalize the configuration of the Windows Firewall service.
The previous instructions solidified the startup behavior of the Windows Firewall service. To control how the system user is allowed to interact with the service, we can manipulate some other group policy settings.
In the same Local Group Policy Editor screen, navigate to Computer Configuration | Policies | Administrative Templates: Policy definitions (AD DC) | Network | Network Connections:
Under the domain submenu, we can observe several settings that can be configured. From here, aspects such as preventing firewall exceptions from being added or removed can be set. Also available in this submenu are globally administered port exceptions, as well as program exceptions.